Open Recommendations

FHFA’s Chief Information Officer should reevaluate the former Acting Chief Information Officer’s risk acceptance related to portable software programs, and implement security controls to detect and prevent users from downloading and running unapproved software on FHFA’s system in accordance with National Institute of Standards and Technology and FHFA’s Rules of Behavior.

FHFA’s Chief Information Officer should monitor and respond to unauthorized software downloads in accordance with FHFA’s Common Control Plan.

FHFA’s Chief Information Officer should develop a Plan of Action and Milestones to track the remediation of past due Cybersecurity and Infrastructure Security Agency Known Exploitable Vulnerabilities in accordance with Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01 and FHFA’s Office of Technology and Information Management Vulnerability Management Process, Revision 2.7 (September 7, 2022). FHFA’s Office of Technology and Information Management should implement compensating controls (i.e., isolating systems with un-remediated vulnerabilities) to mitigate the risk of the vulnerabilities.

FHFA’s Chief Information Officer should prioritize existing Office of Technology and Information Management resources based on the Plan of Action and Milestones to ensure that Cybersecurity and Infrastructure Security Agency Known Exploitable Vulnerabilities are remediated in accordance with Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01 and FHFA’s Office of Technology and Information Management Vulnerability Management Process, Revision 2.7 (September 7, 2022).

FHFA’s Chief Information Officer should implement security controls to lock down USB ports so that only authorized USB devices are allowed.

Require that the PLUS system for receiving, processing, and assigning applications tracks applications and captures application intake, screening, and status, including key dates; captures data on the type of underwriter used; includes a portal for receiving documents and communicating with lenders; and generates FHA loan numbers. This will allow HUD to identify, monitor, and address processing delays and issues on a continuous basis; evaluate its performance and processes; and manage future challenges.

Update policies and procedures to include methods that will be used when applications exceed underwriter capacity, align intake and screening processes, and explain when timeframes will be enforced, including in PLUS.

Issue an industry wide letter to reinforce how intake, screening, and enforcement of timeframes will be handled.

We recommend that the Centers for Medicare & Medicaid Services direct the MACs to recover from hospitals the portion of the $382,032 in identified overpayments for the sampled claims during our audit period that are within the 4-year reopening period in accordance with CMS's policies and procedures.

We recommend that the Centers for Medicare & Medicaid Services educate hospitals on correctly counting the hours of mechanical ventilation and submitting claims with correct procedure and diagnosis codes, which could have saved an estimated $79,354,175 for our audit period.

We recommend the Del Rio Sector Chief, Border Patrol, CBP, in coordination with partner agencies, continue to refine current strategies and identify new strategies to manage delays in detainee transfers to partners to minimize detainees’ time in custody and implement throughout the Del Rio sector.

We recommend to the Deputy Executive Assistant Commissioner, Operations Support, Office of Chief Medical Officer, CBP, ensure the number of onsite contract medical staff at short-term holding facilities in the Del Rio sector meets contract requirements to provide quality care to all detainees in custody.

We recommend that OPM develop a SORN for WHF and publish the SORN in the Federal Register.

Enable the Office of Finances automated payment system to deny payment for community dental services if the procedure codes on the dental claims do not fall within the Standardized Episodes of Care on the referral.

Establish procedures to conduct periodic reviews for compliance with merchant information requirements and address noncompliance within a reasonable timeframe.

Establish automated processes to identify merchants that shortpay, and create and issue automated noncompliance notifications to merchants and label providers, when applicable.

Modify processing instructions for priority cases to include appropriate processing timeframes and follow-up procedures to support the Social Security Administration and Disability Determination Services’ monitoring of processing times.

Institute financial penalties for Boeing’s noncompliance with quality control standards.

EXIM’s Office of the Chair, in coordination with the China and Transformational Exports Program (CTEP) office, should establish policy and procedures that clearly define the authorities, roles, and responsibilities across EXIM for CTEP implementation.

EXIM’s China and Transformational Exports Program office, in coordination with the Office of the Chair, should review the functions, roles, and responsibilities of program officials and determine whether the program is sufficiently staffed and whether obstacles exist for recruitment and retention.

EXIM’s China and Transformational Exports Program office should establish a performance management framework, including measurable goals and indicators to assess program success and progress in achieving its intended purpose.

EXIM’s China and Transformational Exports Program (CTEP) office should assess how existing policies and practices may be adapted to maximize CTEP’s effectiveness and potential including whether the program has the necessary tools it requires to address Transformational Export Areas and then develop a plan to implement these policies.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

This recommendation contains sensitive information that should not be made public. Therefore, we are not including the wording for this recommendation.

The Chief Information Officer should re-establish the Technology Retirement Office or implement a similar enterprise-wide program to identify, prioritize, and decommission legacy systems.

In coordination with the Department of Justice (Department), continue to support implementation of the Final Rule by advancing counsel and responding expediently to requests for information that are routed to the BOP from various stakeholders.

Improve or enhance its antifraud efforts for the ESG program and incorporate fraud risk
management practices that are consistent with the best practices identified in the Government
Accountability Office's A Framework for Managing Fraud Risks in Federal Programs and Chief
Financial Officers Council and Treasury Bureau of the Fiscal Services' Antifraud Playbook.

Obtain training or technical assistance as needed on the implementation of fraud risk
management practices.

Coordinate with MHMR to ensure that the matching requirement is met.

Remedy $8,361 in unsupported contractor costs under Grant Number 15PJDP-22-GG-03809 DGCT.

Remedy $10,077 in unsupported other direct costs, including $7,009 under Grant Number 2020-DC-BX-0110, $895 under Grant Number 2020-AR-BX-0082, $364 under Grant Number 15PBJA-21-GG-03978 MENT, and $1,809 under Grant Number 15PJDP-22-GG-03809 DGCT.

Remedy $74,840 in unsupported matching costs under Grant Number 2020-DC-BX-0110.

Recover COVID-19 EIDL funds provided to the two ineligible borrowers.

We recommend that GSA’s Chief Financial Officer and Chief Information Officer conduct a comprehensive assessment of GSA’s CIO-IT Security-19-97, IT Security Procedural Guide: Robotic Process Automation (RPA) Security, (RPA policy) to ensure, among other things, that its monitoring controls are effectively designed and implemented.

We recommend that GSA’s Chief Financial Officer and Chief Information Officer develop oversight mechanisms to enforce compliance with the RPA policy and ensure that controls are operating effectively.

We recommend that GSA’s Chief Financial Officer and Chief Information Officer review all system security plans that bots currently interact with to determine if they address bot and non-person entity access. Update the system security plans, as needed.

We recommend that GSA’s Chief Financial Officer and Chief Information Officer review all system security plans that bots currently interact with to determine if the security controls need to be updated. Update the system security plans, as needed.

Make ERM implementation a priority by providing the ERM team the resources it needs to ensure ERM reaches maturity no later than the planned date of FY 2028, in accordance with its current ERM Implementation Plan.

Ensure as SSA is working toward reaching maturity that the ERMC is providing leadership over the ERM program and that key Circular A-123 requirements are completed. For example, key requirements should include regular evaluation of SSA’s risk appetite and risk tolerance levels and ERMC communications in support of an Agency-wide risk culture.

Implement qualitative or quantitative measures to measure, report on, and monitor the information security and SCRM performance of organizationally defined products, systems, and services provided by external providers.

The auditors recommend that the Chief Information Officer require the Department and FSA to capture the missinghardware data elements for each identified system and assess whether other information systems may be missing similaror related data elements.